04-29-2010 07:35 AM
Hello
I've got a 2651xm router acting as an easy VPN server to allow me access onto my network - all works great.
I'm living abroad and want to be able to configure the router to allow 'internet on a stick' functionality - by adding a loopback interface etc etc.
My question is - can I have multiple (and I dont know if the word is policies, group-maps, crypto map's etc etc) so that I can connect one way so that I can still get on my internal network, and connect another way for when I want to use 'internet on a stick' ?
I dont know at which level I need the additional configuration - is it a new crypto isakmp policy, is it a new crypto map ?? My current VPN configuration is as follows...
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ezvpn
key XXX
pool SDM_POOL_1
max-users 5
max-logins 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface FastEthernet0/0
description Interface$ETH-WAN$
ip address 78.105.111.95 255.255.248.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
04-29-2010 07:41 AM
Hi Robert,
What you want is to have a VPN profile to connect and get Internet access through the router and
another VPN profile to connect to the inside LAN?
Basically, you want different profiles with different requirements, is that it?
You can create disting VPN groups to connect with the client (different PCF files)
You can also use crypto profiles. Take a look:
Federico.
04-29-2010 12:39 PM
Yes, you are correct in your confirmation of what I want to do, but I dont understand what I need to add to the configuration to allow me to do this.....
Do I basically replicate the configuration that I already have but point it at the loopback interface, or are there elements of the existing configuration that I can reuse so I'm not doubling up on items?
I can not open the link that you have provided me - its coming up with 'forbidden file or application' - even though I have a full smart net contract !!
04-29-2010 12:46 PM
For example, you currently have this group:
crypto isakmp client configuration group ezvpn
key XXX
pool SDM_POOL_1
max-users 5
max-logins 1
You can create another group (will be another PCF file)
crypto isakmp client configuration group new_tunnel
key new_tunnel123
pool SDM_POOL_2
max-users 5
max-logins 1
With the above configuration, you can connect using two VPN groups.
The first group will connect with group name ezvpn and password XXX
The second group will connnect with group name new_tunnel and password new_tunnel123
When you apply an ACL to a group, for example, to the second group:
crypto isakmp client configuration group new_tunnel
key new_tunnel123
pool SDM_POOL_2
max-users 5
max-logins 1
acl 101
The ACL 101 will indicate which traffic is to be encrypted through the tunnel (split-tunneling)
So, pretty much based on the ACLs and the VPN groups, you can manipulate what the VPN clients can do.
About the ISAKMP profiles, you can search on Google for an explanation as well.
Federico.
04-29-2010 12:47 PM
Robert
The link Federico provided is a partner link, just substitute /partner/ with /customer/ ie.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide